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Summary  of  Completed  Project 

We  developed  formal  methods  and  tools  for  the  verification  of  real-time  systems.  This  was 
accomplished  by  extending  techniques,  based  on  automata  theory  and  temporal  logic,  that 
have  been  successful  for  the  verification  of  time-independent  reactive  systems.  As  system 
specification  language  for  embedded  real-time  systems,  we  introduced  hybrid  automata, 
which  equip  traditional  discrete  automata  with  real-numbered  clock  variables  and 
continuous  environment  variables.  As  requirements  specification  languages,  we  introduced 
temporal  logics  with  clock  variables  for  expressing  timing  constraints.  Since  the  state 
spaces  of  systems  with  real-numbered  clock  variables  are  infinite,  all  verification  must 
proceed  symbolically.  Symbolic  verification  methods  are  based  either  on  deductive 
reasoning,  using  proof  rules  for  symbolic  logics,  or  on  algorithmic  analysis,  using  model 
checking  procedures  that  operate  on  symbolic  representations  of  state  sets.  We  developed 
proof  calculi  for  checking  if  a  hybrid  automaton  satisfies  linear-time  clock  properties,  and 
we  developed  and  implemented  symbolic  procedures  for  checking  if  a  piecewise-linear 
hybrid  automaton  satisfies  branching-time  clock  properties.  The  continuous  variables  of 
piecewise  linear  hybrid  automata  follow  trajectories  within  piecewise-linear  envelopes, 
which  can  be  used  to  approximate  conservatively  the  behavior  of  more  general,  nonlinear 
systems.  We  also  studied  the  complexity  of  vvious  formulations  of  the  verification 
problem  for  real-time  systems,  and  we  identified  the  exact  boundary  between  decidability 
and  undecidability  of  real-time  reasoning. 
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1.  PhD  Dissertations 

Pei-Hsin  Ho  (1995):  Automatic  Analysis  of  Hybrid  Systems 
Peter  W.  Kopke  (1996):  The  Theory  of  Rectangular  Hybrid  Automata 

2.  Publications 

See  http://www.eecs.berkeley.edu/~tah/Publications 

3.  Software 

We  developed  and  implemented  HyTech,  a  symbolic  model  checker  for  the  automatic 
analysis  of  embedded  real-time  systems.  HyTech,  together  with  usage  information,  can  be 
downloaded  from  http://www.eecs.berkeley.edu/~tah/HyTech 
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OBJECTIVES 

There  has  been  no  change  in  the  objectives,  which  are: 

1.  Extending  the  model-checking  methodology  to  the  analysis  of  real-time  and  hybrid 
systems. 

2.  Building  a  prototype  model-checking  tool  for  the  analysis  of  real-time  and  hybrid 
systems. 


STATUS  OF  EFFORT 

Over  the  last  year,  we  obtained  four  significant  new  theoretical  results,  all  of  which  are  in 
the  process  of  being  implemented  in  HyTech  and  its  successor,  Mocha.  First,  we  showed 
that  for  controllers  that  sample  the  system  state,  rather  than  watch  it  continuously,  the 
control  problem  is  solvable  efficiently  for  a  wider  class  of  hybrid  systems.  Second,  we 
solved  the  receptiveness  problem  for  timed  and  hybrid  systems,  which  is  necessary  for 
modular  design  and  analysis.  Third,  we  identified  a  class  of  tempora1  properties  of  system 
modules  that  can  be  model  checked  efficiently  in  isolation,  without  considering  the 
complete  system.  Fourth,  we  developed  an  efficient  algorithm  for  the  hierarchical 
verification  of  reactive  systems  with  fairness  constraints,  such  as  the  progress  of  time. 


ACCOMPLISHMENTS/NEW  FINDINGS 

We  describe  our  four  main  results  in  greater  detail. 

Discrete-time  control  for  rectangular  hybrid  automata  [see  17  below] 

Rectangular  hybrid  automata  model  digital  control  programs  of  analog  plant  environments. 
We  study  rectangular  hybrid  automata  where  the  plant  state  evolves  continuously  in  real- 
numbered  time,  and  the  controller  samples  the  plant  state  and  changes  the  control  state 
discretely,  only  at  the  integer  points  in  time.  We  prove  that  rectangular  hybrid  automata 
have  finite  bisimilarity  quotients  when  all  control  transitions  happen  at  integer  times,  even  if 
the  constraints  on  the  derivatives  of  the  variables  vary  between  control  states.  This  is 
sharply  in  contrast  with  the  conventional  model  where  control  transitions  may  happen  at 
any  real  time,  and  already  the  reachability  problem  is  undecidable.  Based  on  the  finite 


bisimilarity  quotients,  we  give  an  exponential  algorithm  for  the  symbolic  sampling- 
controller  synthesis  of  rectangular  automata.  We  show  our  algorithm  to  be  optimal  by 
proving  the  problem  to  be  EXPTIME-hard.  We  also  show  that  rectangular  automata  form  a 
maximal  class  of  systems  for  which  the  sampling-controller  synthesis  problem  can  be 
solved  algorithmically. 

Modularity  for  timed  and  hybrid  systems  [16] 

In  a  trace-based  world,  the  modular  specification,  verification,  and  control  of  live  systems 
require  each  module  to  be  receptive;  that  is,  each  module  must  be  able  to  meet  its  liveness 
assumptions  no  matter  how  the  other  modules  behave.  For  example,  physical  realizability, 
assume-  guarantee  reasoning  about  live  trace  inclusion,  and  controller  synthesis  for  live 
trace  inclusion  all  depend  on  the  receptiveness  condition.  In  a  real-time  world,  liveness  is 
automatically  present  in  the  form  of  diverging  time.  The  receptiveness  condition,  then, 
translates  to  the  requirement  that  a  module  must  be  able  to  let  time  diverge  no  matter  how 
the  environment  behaves.  We  study  the  receptiveness  condition  for  real-time  systems  by 
extending  the  model  of  Reactive  Modules  to  timed  and  hybrid  modules.  We  define  the 
receptiveness  of  such  a  module  as  the  existence  of  a  winning  strategy  in  a  game  of  the 
module  against  its  environment.  By  solving  the  game  on  region  graphs,  we  present  an 
(optimal)  EXPTTME  algorithm  for  checking  the  receptiveness  of  propositional  timed 
modules.  By  giving  a  fixpoint  characterization  of  the  game,  we  present  a  symbolic 
procedure  for  checking  the  receptiveness  of  linear  hybrid  modules.  Finally,  we  present  an 
assume-guarantee  principle  for  reasoning  about  timed  and  hybrid  modules,  and  a  method 
for  synthesizing  receptive  controllers  of  timed  and  hybrid  modules. 

Alternating-time  temporal  logic  [18] 

Temporal  logic  comes  in  two  varieties:  linear-time  temporal  logic  assumes  implicit  universal 
quantification  over  all  paths  that  are  generated  by  system  moves;  branching-time  temporal 
logic  allows  explicit  existential  and  universal  quantification  over  all  paths.  We  introduce  a 
third,  more  general  variety  of  temporal  logic:  alternating-time  temporal  logic  offers  selective 
quantification  over  those  paths  that  are  possible  outcomes  of  games,  such  as  the  game  in 
which  the  system  and  the  environment  alternate  moves.  While  linear-time  and  branching¬ 
time  logics  are  natural  specification  languages  for  closed  systems,  alternating-time  logics 
are  natural  specification  languages  for  open  systems.  For  example,  by  preceding  the 
temporal  operator  "eventually"  with  a  selective  path  quantifier,  we  can  specify  that  in  the 
game  between  the  system  and  the  environment,  the  system  has  a  strategy  to  reach  a  certain 
state.  Also  the  problems  of  receptiveness,  realizability,  and  controllability  can  be 
formulated  as  model-checking  problems  for  alternating-time  formulas. 

Depending  on  whether  we  admit  arbitrary  nesting  of  selective  path  quantifiers  and  temporal 
operators,  we  obtain  the  two  alternating-time  temporal  logics  ATL  and  ATLstar.  We 
interpret  the  formulas  of  ATL  and  ATLstar  with  respect  to  two  models  of  composition  for 
open  systems,  synchronous  and  asynchronous.  In  the  case  of  synchronous  ATL,  the 
expressive  power  beyond  CTL  comes  at  no  cost:  the  model-checking  complexity  of  ATL 
is,  for  synchronous  systems,  linear  in  the  size  of  the  system  and  the  length  of  the  formula, 
and  for  asynchronous  systems,  quadratic.  The  symbolic  model-checking  algorithm  for 
CTL  extends  with  few  modifications  to  synchronous  ATL,  and  with  more  work,  also  to 
asynchronous  ATL.  This  makes  ATL  an  obvious  candidate  for  the  automatic  verification  of 
open  systems.  In  the  case  of  ATLstar,  the  model-checking  problem  is  closely  related  to  the 
synthesis  problem  for  linear-time  formulas,  and  requires  doubly  exponential  time  for  both 
synchronous  and  asynchronous  systems. 


Fair  simulation  [15] 


The  simulation  preorder  for  labeled  transition  systems  is  defined  locally  as  a  game  that 
relates  states  with  their  immediate  successor  states.  Liveness  assumptions  about  transition 
systems  are  typically  modeled  using  fairness  constraints.  Existing  notions  of  simulation  for 
fair  transition  systems,  however,  are  not  local,  and  as  a  result,  many  appealing  properties 
of  the  simulation  preorder  are  lost.  We  extend  the  local  definition  of  simulation  to  account 
for  fairness:  system  S  fairly  simulates  system  I  iff  in  the  simulation  game,  there  is  a 
strategy  that  matches  with  each  fair  computation  of  I  a  fair  computation  of  S.  Our  definition 
enjoys  a  fully  abstract  semantics  and  has  a  logical  characterization:  S  fairly  simulates  I  iff 
every  fair  computation  tree  embedded  in  the  unrolling  of  I  can  be  embedded  also  in  the 
unrolling  of  S  or,  equivalently,  iff  every  Fair-AFMC  formula  satisfied  by  I  is  satisfied  also 
by  S  (AFMC  is  the  universal  fragment  of  the  alternation-free  mu-calculus).  The  locality  of 
the  definition  leads  us  to  a  polynomial-time  algorithm  for  checking  fair  simulation  for  finite- 
state  systems  with  weak  and  strong  fairness  constraints.  Finally,  fair  simulation  implies  fair 
trace-containment,  and  is  therefore  useful  as  an  efficiently-computable  local  criterion  for 
proving  linear-time  abstraction  hierarchies. 
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